28/01/2014

Data Protection Day: Home Secretary signs a national security certificate to permit the unacceptable

Happy Data Protection Day.

This is perhaps an appropriate day to read the National Security Certificate signed by Theresa May, Home Secretary, in 2011; it involves the capture of images from Transport for London’s (TfL’s) Congestion Charge CCTV/ANPR cameras and their onward disclosure, via the Metropolitan Police, to the national security agencies.

In summary, the Certificate is broadly drafted and allows for disclosures for purposes that are not necessaryfor the functions of the national security agencies; the drafting could even permit transfers of personal data to dodgy countries for any purpose. I show how this happens in this blog.

Whether such disclosures and transfers occur in practice is, of course, hopefully unlikely. However, in a post-Snowden era where national security agencies are being scrutinised like never before, I think this Certificate should be withdrawn and reworded. The justifications offered by Mrs May simply do not “stack up” and, in general, the errors in this Section 28 Certificate could be found in others.

The Certificate states that the S.28 exemption in the Data Protection Act covers the following personal data:

“images taken by the Cameras” (of TfL); and

“personal data derived from the images, including vehicle registration mark, date, time, place and camera location”.

The Certificate does not concern the retention of personal data or define the extent of image capture. For instance, is there a list of “suspect cars” where only target details are captured, or is there mass capture of all images irrespective of whether there is any suspicion? If it is the latter then, rather like mass telecoms meta-data retention by GCHQ/NSA, there is daily mass CCTV image retention of anybody who drives into central London.

Details about the TfL Certificate

The Certificate covers a chain linking at least three data controllers. First, there is Transport for London (TfL) which collects the images and registration marks of all vehicles that enter the Congestion Charge Scheme. These personal data are then passed for national security purposes to the National Security Units of the Metropolitan Police Service (MPS is the data controller).

The Certificate confirms there is an onward disclosure from these National Security Units to other unspecified agencies (these agencies are the third set of data controllers in the chain; they also process for the national security purpose). If you print off the Certificate below, the National Security Units are covered by Part A, TfL by Part B, and these other agencies by Part C (i.e. the Certificate covers all the data controllers in the chain).

The Certificate exempts these controllers from the requirement to provide a fair processing notice, the rights of access, the ability of the Information Commissioner to enforce the Act, and the Second Principle. The National Security Units have an additional exemption from the Eighth Principle, and rights associated with objection and automated decision taking (which suggests that automated decision taking might occur).

The Certificate states that the justifications for the capture of the personal data from TfL are:

“providing information on movements in London of these groups and/or individuals breaching, suspected of breaching or planning to breach national security”;

“allowing the investigation of occurrences designed to breach, damage, or having the effect of breaching or damaging national security” ; and

“providing information which will allow the anticipation of the movements in London of those groups and/or individuals breaching, suspected of breaching or planning to breach national security”.

The Certificate then exempts the Second and Eighth Principles on the grounds that if these Principles were not exempt, then the National Security Units would be:

prevented from “passing data outside the European Economic Area” (the Eighth Principle issue); and

prevented from allowing “access by third parties to the premises assigned to the police officers and support staff, including consultants, of National Security Units” (the Second Principle issue).

Analysis of the exemption from the Second & Eighth Principles

It is convenient to discuss the Second Principle exemption first in the context of TfL (the data controller that collects the personal data). Normally, the Second Principle would require TfL to decide whether or not a disclosure of personal data for a national security purpose would be incompatible with the purpose of its original obtaining of personal data for the congestion charge purpose.

Clearly, the congestion charge purpose and the national security purpose are incompatible. Hence the exemption from the Second Principle is needed to remove the need for TfL to have such regard to the disclosure for the national security purpose. So far so good.

Now we come to the Metropolitan Police data controller (which covers the National Security Units); their purpose of obtaining is the policing purpose and national security purpose. However, the Certificate provides them with an exemption from the Second Principle which means that they do not have to have regard for any further disclosure purpose that is incompatible with the purposes of obtaining (i.e. incompatible with the policing/national security purpose).

I hope, by now, you are having what is known in South Yorkshire as an “ey-upp” moment. Why should the National Security Units want to make disclosures which are incompatible with their national security functions? Similarly, as Certificate also provides the third set of data controllers with this exemption, they too have ability to make disclosures that are incompatible with their national security function. Why do such disclosures occur? And to whom do they disclose?

There is a similarly position with respect to the Eighth Principle exemption for the National Security Units. In general, the Eighth Principle requires a data controller to perform a risk assessment on the adequacy of protection, prior to the transfer of personal data outside the European Economic Area (see paragraph 13 of Schedule 1, Part II), or apply an exemption from the need to assess adequacy (as specified in Schedule 4).

I would argue that if the National Security Units were to make any transfer of personal data outside the EEA for a national security purpose, then such a transfer would be in the “substantial public interest” (see Schedule 4, paragraph 4). In these circumstances, there is no need to assess adequacy.

It then follows that the National Security Units have been granted, by the Certificate, an ability to transfer personal data outside the EEA for purposes that possess little in the way of “substantial public interest”. Again, the questions has to be asked; why do such transfers occur? And to whom do these Units transfer?

Questions to pose on this Data Protection Day

Mrs May has signed this Certificate; she needs to answer the questions posed in relation to the Second and Eighth Principle above. Why should National Security Units (and their third party agents) be granted wide ranging discretion to make disclosures for purposes unconnected with national security? Why should the Units be able to make transfers for purposes unconnected with national security?

In addition, Mrs May needs to explain the nature of any mass data capture and why the Certificate could not have been drafted precisely by expressing it in terms of, for example, “processing that is necessaryfor the safeguarding of national security in relation to acts of terrorism and serious crime” (this engages Article 8 of the Human Rights Act and limits the surveillance to terrorism and serious crime).

Mrs May needs to explain why she has decided that the Information Commissioner cannot enforce the Act and why she is limiting the powers of a Regulator to act on behalf of a data subject in a matter that concerns the processing of personal data.

And if Mrs May does not want to answer, we can always ask Boris who is responsible TfL.

Of course, it could be that the Certificate has been too widely drafted. If this is the case, then the suspicion must be that ALL Certificates have this defect. If this is the case, then the system of issuing national security Certificates could well be unfit for purpose.

Another explanation could be a basic mistake in data protection understanding. For instance, each data controller has to apply the data protection principles to his processing and, in terms of the Second Principle, each data controller has a “purpose of obtaining”. In this Certificate, the Home Secretary has assumed that the National Security Units "purpose of obtaining" is the orginal TfL one (i.e. the Units purpose of obtaining is that on another data controller). This is a likely explanation.

Back in 1979, the Lindop Report into Data Protection (Cmnd 7341, paras 23.21-23.24) stated that the national security agencies should be subject to a Code of Practice that was independently supervised. It concluded that it was important to take the national security agencies out of their “hermetically sealed” environment in order to ensure that these agencies would be "open to the healthy - and often constructive - criticism and debate which assures for many other public servants that they will not stray beyond their allotted functions".

So I end this blog by asking a basic question. Do you think that the national security agencies have “strayed”? If so, then part of the current review of supervision of the national security agencies must include Section 28 Certificates under the Data Protection Act.

References

No mention of the above in “What do you need to know about Congestion Charging?” (2013) Clearly, you don’t need to know! I cannot understand why if the Certificate is in the public domain, why TfL is so reticent to make comments on this data sharing arrangement. http://www.tfl.gov.uk/assets/downloads/cc-leaflet-generic-20130701.pdf

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The Lindop Report also said that we should never have a Universal Personal Identifier since this breached privacy. Unfortunately nobody told the scientists this - which has led to DNA profiling and the fact that we all have a genetic 'universal personal identifer'. You cannot uninvent stuff, we have to learn to live with this and embrace the change.

In many ways the Lindop Report is a bit like the old Red Flag rule for motor cars - it is rooted in local history and pre-internet technologies which have been overtaken by events. In my view these latest changes are driven by commercial issues involving Big Data. It is natural for the police and security forces to look to find ways of commercialising their security data - since this should lead to cost savings and improved security for everyone. So I think the reason why this onward disclosure is allowed is to enable the security forces to make money and be less of a drain on the public purse.

Now purists may object to this but if the police and security services can make money from this data then the principle role of government, in protecting its citizens, is fulfilled at a lower cost.

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.